Check malloc return for null in kstream_create_* instead of

unconditionally dereferencing.  Thanks to Domagoj Babic for finding
the bug.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19640 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 12 insertions, 0 deletions

diff --git a/src/appl/bsd/v4rcp.c b/src/appl/bsd/v4rcp.c
index 13b4623..44938db 100644
--- a/src/appl/bsd/v4rcp.c
+++ b/src/appl/bsd/v4rcp.c
@@ -122,6 +122,8 @@ static kstream kstream_create_rcp_from_fd(read_fd, write_fd, sched, ivec)
      des_cblock *ivec;
 {
   kstream tmp = (kstream)malloc(sizeof(*tmp));
+  if (tmp == NULL)
+      return NULL;
   tmp->encrypting = 1;
   tmp->read_fd = read_fd;
   tmp->write_fd = write_fd;
@@ -145,6 +147,8 @@ static kstream kstream_create_from_fd(read_fd, write_fd, sched, session)
 {
   /* just set it up... */
   kstream tmp = (kstream)malloc(sizeof(*tmp));
+  if (tmp == NULL)
+      return NULL;
   tmp->encrypting = 0;
   tmp->read_fd = read_fd;
   tmp->write_fd = write_fd;
@@ -429,6 +433,10 @@ int main(argc, argv)
 								   &crypt_session_key);
 			} else
 				krem = kstream_create_from_fd (rem, 0, 0);
+			if (krem == NULL) {
+			    error("rcp: out of memory\n");
+			    exit(1);
+			}
 			kstream_set_buffer_mode (krem, 0);
 #endif /* KERBEROS && !NOENCRYPTION */
 			(void) response();
@@ -449,6 +457,10 @@ int main(argc, argv)
 								   &crypt_session_key);
 			} else
 				krem = kstream_create_from_fd (rem, 0, 0);
+			if (krem == NULL) {
+			    error("rcp: out of memory\n");
+			    exit(1);
+			}
 			kstream_set_buffer_mode (krem, 0);
 #endif /* KERBEROS && !NOENCRYPTION */
 			if (setuid(userid)) {